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USER AUTHENTICATION IN MEDICAL DEVICE SYSTEMS 

CROSS-REFERENCE TO RELATED APPLICATIONS 

This application claims the benefit of U.S. Provisional Application No. 60/173,822, 
filed December 30, 1999, "User Authentication in Medical Device Systems." The 
disclosure and drawings of the provisional application are specifically incorporated 
herein by reference. 

FIELD OF THE INVENTION 
The present invention generally relates to medical device systems. 
Specifically, the invention relates to biometric-based identification systems to provide 
a hierarchy of authorized access to operational hardware and software tools in medical 
devices. The biometric data may represent iris/retina, fingerprint, voiceprint, facial, 
veinal and similar biometric identification traits of individuals. These are stored in a 
database to confirm identification of an authorized person based on a correspondingly 
comparative code assigned to the biometric traits of a specific user. The identification 
code may be implemented in instruments such as a programmer, pacing system 
analyzer (PSA), external temporary pacemaker (ETP), home monitor and other 
peripheral units that are in data communication with implanted devices in a patient. 
Access to specific therapy and diagnostic tools and content are based on the hierarchy 
of authorization such as, for example, a doctor, a nurse, a patient, or a Medtronic 
employee, each of which would have qualified access granted with respect to their 
expertise and need basis. 

BACKGROUND OF THE INVENTION 

Medical devices, particularly implanted medical devices, require occasional and at 
times, chronic adjustments based on therapy and diagnostic needs of the patient. The 
therapy and diagnostic parameters that need adjustments may involve the decisions of 
doctors, nurses, Medtronic field service personnel, patients, members of the patienf s 
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family or representative, as the case may be. Further, the parameters to be adjusted, 
or the software to be implemented, in a medical device via an instrument such as a 
programmer or instruments, would require various levels and hierarchies of expertise. 
Misadjustment of the parameters could endanger the patient's life. Accordingly, there 
is need to limit access to these instruments to primarily protect the patient's privacy 
and well being. 

Therapy regimen,and chronic patient and care treatment, via implanted 
medical devices would require timely decisions by physicians quahfied to assess the 
patient's conditions and dispense proper medical care. Further, implanted medical 
devices (IMDs) must be monitored on a regular or chronic basis to make adjustments 
of certain parameters or settings responsive to changes in a patient's condition or 
based on factors internal to the IMD. IMDs may also contain logic devices such as 
digital controllers which may need to undergo firmware or software upgrades or 
modifications. Further, various users, including doctors, nurses, Medtronic field 
personnel and the patient, may occasionally want to review physiologic data or patient 
information stored in IMDs to evaluate the performance of the device and review 
patient history as needed. Current practice provides operations in which software and 
instructions installed in an IMD could be modified responsive to patient diagnostic 
and therapeutic conditions. 

Instruments such as programmers, PSAs, ETPs and similar devices are 
becoming ubiquitous. Specifically, as the segment of the population with IMDs 
increases, health care cost management would require various home monitors and 
instruments to be available at the disposal of patients for managing the operations of 
the IMDs, either by the patients, nurses or doctors, as the case may be. For example, 
the patient may be remotely instructed to adjust certain parameters without 
intervention of the physician. Similarly, in the case of a chronic patient, a nurse may 
be assigned to visit the individual at home so that the nurse may make qualified 
decisions to adjust or modify the operations of the IMD based on a review of 
diagnostic and therapeutic parameters retrieved from the device. While empowering 
patients and other quahfied personnel is a viable economic option to reduce the cost 
of health care, user verification, user authorization and access control will clearly be 
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needed to provide a secure and safe management of implanted devices in patients. 
Specifically, all peripheral and major devices that are used in downlinking to the IMD 
may potentially be a source of security and privacy breach unless protected by a 
security system. 

There are several user authentication systems. Specifically, some implement 
biometric identification to control access to customize computer systems data. For 
example, some computers require fingerprint data to access users' sensitive 
information. 

In this regard, PCT pubhcation WO2000/22581 to Bromba, M., discloses an 
identification device with a sensor having an authentication surface with biometric 
features. A comparator compares detected biometric features of a part of the 
authentication surface of an authorized person or persons to determine the relative 
position of the sensor detected biometric features within the authentication surface. 
The computing device then computes an identification code which identifies the 
person detected by the sensor. 

Similarly, U.S. Patent No. 5,401,561 to Boms et al, discloses identification 
characteristics formed as optical markings with radiation provided by a hght source. 
The marking is in an optically transparent housing or surface or other area for at least 
a part of the wavelength range within the sensitivity range of the human eye and for a 
fiirther part outside the human eye sensitivity range. 

PCT pubhcation WO2000/43960 to Frischholz, R., discloses a recognition 
system that is based upon medical data, obtained for example, from fingerprints or 
eyes. The method involves acquisition of data by scanning with a camera, for 
comparison with reference data. In order to prevent misuse, the reference data is 
based upon several samples fi:om different positions. The user has to move a hand or 
eyes to form an object on the screen that would provide adequate data input to the 
controller. Similarly, PCT pubhcation WO2000/021021 to Frischholz, R., discloses a 
face detecting system in which the images of a face model could be generated for 
identification purposes. 

PCT publication WO2000/026823 to Garfinkle, N., discloses an individual 
medical record protection method for protecting medical records prepared in a doctors 
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office or hospital. Specifically^ the invention relates to a process by which a person 
authorized by the patient inputs personal identification and biometric codes to a 
database that checks if the biometric and Id number are in accord with that stored in 
the database. Upon confirmation, access is granted to a particular record that uses the 
Id code and the data is transmitted to the requesting site. 

Accordingly, the use of biometrics for identification and authorization of users 
based on data associated with a stored key is well known in the art. However, the 
implementation of biometric recognition systems to enable access to instruments in 
data communication with IMDs, presents new and non-obvious biometric 
implementation. Specifically, the implementation of biometric recognition systems to 
provide a layered and hierarchal access to instruments and IMDs on expertise and 
need, reduces opportunities for tampering, manipulation, error and harm to the 
patient. Accordingly, it is preferable to provide specific access to IMDs via 
instruments such as programmers, PSAs and other instruments, home monitors and 
programmers to doctors, nurses, Medtronic technicians and patients or patients' 
representatives, to enable safe monitoring and content specific adjustment or 
modifications of implanted medical devices. 

SUMMARY OF THE INVENTION 

The present invention provides a system for selective implementation of 
biometric user and instrument identification that enables secure and accurate data 
transfer between IMDs and instruments such as programmers. Embodiments of 
suitable biometric user authentication systems include, for example, user 
identification and password schemes, a scan of written signatures, biometric 
identification based on retina/iris or other unique body features, voice recognition, 
fingerprints, vein prints and similar biometric recognition traits hereinafter referred to 
as "biometric traits". 

BRIEF DESCRIPTION OF THE DRAWINGS 



P8863 
PATENT 



5 

Figure 1 is an illustration of a body implanted device system in accordance 
with the present invention, including an instrument such as a programmer in wireless 
data communication with the implanted medical device. 

Figure 2 is a perspective view of an external programming unit. The invention 
utilizes the biometric traits to insure the identity of users. Further, the system enables 
segregated access to certain tools, text and operations based on the user's expertise, 
need and quaUfications. For example, physicians have a broad-based access to 
therapeutic and diagnostic tools compared to nurses, technicians or the patients. 

Figure 3 is a perspective view of an external programming unit with biometric 
recognition systems implemented therein. 

Figure 4 is a perspective view of an external programming unit, such as an 
ETP, the biometric recognition system implemented therein. 

Figure 5 is a flow chart of one embodiment of the user authentication process 
in accordance with the present invention. 

DETAILED DESCRIPTION OF THE DRAWINGS 

Figure 1 is an illustration of an implantable medical device (IMD) system 
adapted for use in accordance with the present invention. The medical device system 
of Figure 1 includes an IMD 10 implanted inpatient 12. In accordance with 
conventional practice in the art, IMD 10 is housed within a hermetically sealed, 
biologically inert outer casing which may be conductive, to serve as an indifferent 
electrode in the IMD's pacing/sensing circuit. One or more pacemaker leads 
collectively identified with reference numeral 14 in Figure 1 are electrically coupled 
to IMD 10 in a conventional manner and extend into the patient's heart 16 via vein 18. 
Disposed generally near the distal end of leads 14, are one or more exposed 
conductive electrodes for receiving electrical cardiac signals and/or for delivering 
electrical pacing stimuh to heart 1 6. As will be appreciated by those of ordinary skill 
in the art, leads 14 may be implanted with each distal end situated in the atrium and/or 
ventricle of heart 16. Although the present invention will be described herein 
referring to this one embodiment which includes IMD 10, those of ordinary skill in 
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the art, in light of the present disclosure, will appreciate that the present invention 
may be alternately practiced in connection with numerous other types of IMDs. 

Further referring to Figure 1, an instrument/external programming unit 20 is 
shown in wireless data communication with IMD 10. Instrument 20 includes a 
programming head 22 in accordance with conventional medical device programming 
systems for facilitating two way communication between IMD 10 and instrument 20. 
In many known implantable device systems, a programming head such as that 
depicted in Figure 1 is positioned on the patient's body over the implant side of the 
device such that one or more antennae within head 22 can send RF signals to, and 
receive RF signals from, an antenna disposed within the hermetic enclosure of IMD 
10 or disposed within the connector block of IMD 10 in accordance with common 
practice in the art. 

Figure 2 is a perspective view of instrument or programming unit 20 in 
accordance with the present invention. Generally, programmer 20 includes a 
processing unit (not shown in the figure) that, in accordance with the presently 
disclosed invention, is a personal computer type mother board, for example, computer 
motherboard including an Intel Pentiumlll microprocessor and related circuitry such 
as digital memory. The details of design and operation of the programmer's computer 
system will not be set forth in detail in the present disclosure, as it is believed that 
such details are well known to those of ordinary skill in the art. 

Further, referring to Figure 2, programmer 20 comprises an outer housing 60 
which is preferably made of a thermal plastic or equivalent rugged yet relatively 
lightweight material, and a carrying handle 62 integrally formed into the front of 
housing 60. Handle 62 is retractably designed to serve as a handle so that 
programmer 20 can be carried like a briefcase. An articulating display screen 64 is 
disposed on the upper surface of housing 60. Display screen 64 folds down into a 
closed position (not shown) when programmer 20 is not in use, thereby reducing the 
size of programmer 20 and protecting the display surface of display 64 during 
transportation and storage thereof. 

As would be appreciated by those of ordinary skill in the art, it is often 
desirable to provide a means for determining the status of the patient's conduction 
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system. This is generally accomplished by external ECG leads 24 which can provide 
suitable ECG tracings. Further, in accordance with the present invention, programmer 
20 is equipped with an internal printer (not shown) so that a hard copy of a patient's 
ECG or graphics could be generated at display screen 64. Several types of printers 
such as AR 100 Printer from General Scanning Company are compatible with 
programmer 20. 

Still referring to Figure 2, programmer 20 is shown with articulating display 
screen 64, having been lifted up into one of a plurality of possible open positions so 
that the display area thereof is visible to users situated in front of programmer 20. 
Articulating display screen is preferably of the LCD or electro luminous type 
characterized by being relatively thin, as compared, for example a CRT or the like. 
As would be appreciated by those with ordinary skill in the art, display screen 64 is 
operatively coupled to the computer circuitry, disposed within housing 60, and is 
adapted to provide a visible display of graphics and/or data under control of the 
internal computer. 

Programmer 20 as illustrated herein with reference to Figure 2 is substantially 
disclosed and described in more detail in U.S. Patent No. 5,345,362 to Thomas J. 
Winkler, entitled "Portable Computer Apparatus with Articulating Display Panel", 
which patent is incorporated herein by reference in its entirety. The Medtronic Model 
9790 Programmer is the implantable device programming unit with which the present 
invention may be advantageously practiced. 

Figure 3 is a perspective view of programming unit 20 incorporating the 
biometric identification systems in accordance with the present invention. 
Specifically, biometric sensor 70 for detecting fingerprints includes an area adapted to 
fit the front part of a user's finger. Similarly, microphone 72 is implemented on panel 
64 to enable voice recognition. Further, camera 74 is implemented to enable reading 
of facial and other bodily features including iris/retina scans. 

Figure 4 is a perspective view of ETP 80. Generally, ETP 80 is a mode 
switching apparatus for an external dual chamber cardiac pacemaker having multiple 
single chamber and dual chamber primary pacing modes and user adjustable atrial and 
ventricular sensitivities. The dual chamber demand pacing mode, for example, the 
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DDE or DDI mode, is in effect as long as the atrial and ventricular pace pulse 
amplitudes are set by the user within an operative range. The pacing mode is 
switched to a single chamber demand mode when one of the atrial and ventricular 
pace pulse energies is set to an inoperative setting, which preferably is a no output 
setting. If the atrial pace pulse amplitude is set to no output, then the mode is 
switched to a single chamber demand mode with ventricular sensing and pacing, 
preferably the WI mode. If the ventricular pace pulse amplitude is set to no output, 
then the mode is switched to a single chamber mode with atrial sensing and pacing, 
preferably the AAI mode. In the implementation of ETP 80, the setting of atrial or 
ventricular pace pulse amplitude to the off position is detected and the corresponding 
atrial or ventricular sense amphfier is effectively rendered inoperative resulting in the 
mode switch. The mode switch back to the dual chamber demand pacing mode is 
affected by setting the atrial or ventricular pace pulse amplitude to any level other 
than the no output position. Preferably, the mode switch is to the DDD mode, even if 
the preceding mode switch was from the DDI mode. 

ETP 80 described herein with reference to Figure 4 is substantially disclosed 
in more detail in U.S. Patent No. 5,626,621 to Skoglund et al, entitled "Dual Chamber 
Multi-Mode External Pacemaker" , which patent is incorporated herein by reference 
in its entirety. ETP 80 includes sensor 82 for detecting fingerprints, sensor 86, which 
includes a camera, to sense biometric data representing images and/or the iris and 
microphone 84 for collecting biometric data representing voiceprint and voice 
recognition systems. 

Figure 5 is a flow chart of one embodiment of the user identification and 
authorization process 500 in accordance with the present invention. Specifically, 
when a user attempts to gain access to IMD 10, programmer 20 or ETP 80, the user 
enters appropriate authentication data at step 501. The identification data may include 
a fingerprint, an image, iris scan, voiceprint, or similar biometric traits. The system 
analyzes the input by preferably comparing it with stored data. If a match is 
confirmed, access is granted based on the authorization level to access specific tools 
and features of programmer 20, IMD 10 or ETP 80, as the case may be. Specifically, 
if authorization is confirmed, and access is authorized as shown at logic step 506, then 
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step 516 determines the type of access and level under the authorization scheme for 
the specific user based on content, class or category assigned to the user as 
appropriate. For example, step 520 illustrates a third user or an untrained user who 
may have only limited usage/access rights such as no access to programmable 
operations or patient data. Step 522, however, may permit broader access such as 
perhaps are afforded to a doctor. Further, a nurse of appropriate identification may be 
granted access to limited programmable operations relating to diagnostic and therapy 
tools. Similarly, a patient user may be authenticated to access a limited set of tools 
that may be permitted to adjust non-critical settings. Furthermore, a Medtronic field 
representative may be allowed to access only operational/functional aspects that relate 
to data collection and/or software upgrades, with strict limitations to any or all therapy 
and diagnostic tool adjustments. Alternatively, step 524 might be identified with the 
user's authentication and authorization category, and it may equate to that of a trained 
speciahst. For example, this authorization may relate to someone who is authorized 
for access to programmable operations, patient data or other rights. Step 530 
designates an end to the authorization sequence of a session. Logic pathway 504 
represents the denial of user access. However, in this scenario, step 507 queries 
whether the user is requesting access in view of a special override function or 
emergency situation. If not, then the authentication is denied at step 509. In the event 
the special override ftmction is approved, then logic pathway 5 1 1 routes the user to 
step 524. As indicated hereinabove, step 524 is normally identified with the user's 
identification and authorization category relating to a trained speciahst and may 
provide a broad-based access to diagnostic, therapeutic and operational/fimctional 
features of programmer 20, IMD 10 and ETP 80. 

It should be recognized that Figure 5 is merely one embodiment of a number 
of authentication schemes and logic systems enabled and claimed by this invention 
disclosure. Indeed, authentication system 500 may include combinations of hardware 
and software elements suitable for interface with the various instruments such as 
programmers, ETPs, PSAs and home monitors, to provide authorized access to these 
devices using the biometric identification system disclosed herein. 
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As indicated hereinabove, biometric data or traits used to authenticate and 
verify users may include retina or iris scans, fingerprint scans, vein print scans, voice 
prints, or voice recognition system, special geometry/facial recognition, hand 
geometry, veinal scans, and similar other biometric traits and features that could be 
used to positively identify a user. The authentication techniques implemented in the 
present invention include hierarchical schemes of grant to primary, secondary and 
occasional users. For example, doctors and nurses could be considered primary users, 
having access to specific therapeutic and diagnostic tools, both instruments and IMDs. 

In addition to the various biometric techniques disclosed in the present 
invention, instrument and IMD related authentication mechanisms may include 
verification through use of; inscription techniques, approved serial numbers, fixed or 
pre-loaded data signatures in the instrument or IMD memory, resistance or other 
electrical or digital characteristic matching, load recognition, or data message 
generated by one or more predetermined algorithm based on dates, events, serial 
number or other phenomenon. 

Referring now to Figures 3 and 4, the implementation of the various biometric 
identification systems in programmer 20 and ETP 80, include voice recognition via 
microphone 72 and 84 respectively, face recognition or iris scan using camera 74 or 
86 respectively, and fingerprint recognition using fingerprint sensors 70 and 82 
respectively. The iris scan and face recognition biometric systems may be the type 
manufactured by Iris Scan, Inc., Symtron Technology, Dialog Communication 
Systems, Visionics Corp. Further, biometric fingerprint sensors may be of the type 
supplied by Miaxis Biometrics Co., Advanced Biometric Solutions, Veridicon Face 
Sense, and Precise Biometrics. Further, voice recognition systems for voice print 
identification may be of the type offered by Dialogue Communication Systems. 

Accordingly, the biometric identification systems contemplated by the present 
invention may be implemented from various suppliers for incorporation in 
progranmier 20, ETP 80 and similar instruments. One of the significant aspects of the 
present invention includes the implementation of biometric data to eliminate error, 
tampering and provide patients with a high level of security to maintain medical data 
privacy. 
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Although the invention is described with reference to particular embodiments, 
it will be understood to those skilled in the art that this embodiment is merely 
illustrative of the application of the principles of the invention. Numerous 
modifications may be made therein, and other arrangements may be devised without 
departing from the spirit and scope of the invention. 



